Posted
by
CmdrTaco
on Monday January 25, 2010 @10:36AM
from the want-braaaains dept.

jibjibjib writes "Some of Australia's largest ISPs are preparing an industry code of conduct to identify and respond to users with botnet-infected computers. The Internet Industry Association, made up of over 200 ISPs and technology companies, is preparing the code in response to an ultimatum from the federal government.
ISPs will try to contact the user, slow down their connection, and ultimately terminate the connection if the user refuses to fix the problem. It is hoped that this will reduce the growth of botnets in Australia, which had the world's third-highest rate of new 'zombies' (behind the US and China)."

They don't need to disconnect bad users. They should just give a discount to users who are running secure operating systems that are more resilient to malware infections than Windows is.

For example, give OpenBSD users a 50% discount, since it's quite unlikely that their system will ever get infected or compromised. The same can probably be done for users using Solaris, NetBSD, FreeBSD and commercial UNIXes.

Linux and Mac OS X are more widely used than the aforementioned systems, so the chance of them getting

And yet we take away the license of people that drive in an irresponsible fashion. If you're not willing to take responsibility for your actions, or are unable to, then there needs to be some way of hammering home the damage that you're doing to the group. Just like those idiots that endanger everybody else by refusing to get vaccinated against serious illnesses.

In this case, sure it's not a life or death decision, but spam, phishing, malware, child porn, and other nastiness does ruin lives. Slowing the

Disconnecting people from the Internet over something they're not willingly doing is completely absurd, and in may ways should be considered criminal in the Western world

This statement of yours is completely absurd

A computer that's a zombie node of a botnet is most likely dishing out spam by the thousands by the minute effectively clogging the InterTubes with digital feces. Additionally it is also part of any DDoS attack associated w/ that particular botnet's activities.

The owner of said computer is negligent and should have their connection isolated until the computer engaged in infraction is cleaned.

Calling the owner negligent is assuming a lot. Don't get me wrong - plenty of them probably are. But you can have your box automatically downloading patches, run a top-tier antivirus package, avoid visiting shady websites, and still get yourself infected by some 0-day exploit served off an ad server used by a respectable website (say, CNN).

Disconnecting infected users is a worthwhile idea. Though wonder if malware writers won't adapt to that - detect disconnections or unusually slow throughput, go into a

I've never heard people suggest that before, but the idea of "using open source = discount on your internet bill" is a good idea.

Nope. Market for software/services to try make a Windows machine actively running IE look to the outside like a Linux machine running FF/Konq in 3... 2...

I see hitting people's wallets as a good ides in another case though. Some will take the being cut off as a simple inconvenience and will after reconnection continue to behave as before and get cut off again after a couple of months - lather, rinse, repeat. Charging them a reconnection fee the second and subsequent time might be extra useful encouragement.

I think it's harder to validate if someone is Malware free than identify what OS they're running via modem data, no? I keep thinking ICMP or nmap, but I'm sure there are legitimate ways since the ISP already has your data.

When I think of trying to identify malware, how would you know without inspecting packets? does malware consistently spam traffic? I would assume not all the time on that.

I'm merely being philosophical on this, as I don't know the answer: if you do, by all means, please answer.

I think it's harder to validate if someone is Malware free than identify what OS they're running via modem data, no? I keep thinking ICMP or nmap, but I'm sure there are legitimate ways since the ISP already has your data.

With a proper router (rather than just a USB modem) in a sensible default situation where by default nothing incoming gets passed the router unless it is a response to an outgoing connection, the most you will be able to tell from that sort of probe is a few things about the router.

When I think of trying to identify malware, how would you know without inspecting packets? does malware consistently spam traffic? I would assume not all the time on that.

You're right, it would not be easy. Obviously someone thinks that it is practical to try though, or the plan would not have been conceived in the first place.

I can think of a few things that, while far from infallible, would prov

Don't they all do packet inspection anyway? And, some of them do deep packet inspection, looking for P2P users, right?

It really shouldn't be that hard to identify a spamming bot. Other bots may be harder to spot, but not impossible. While I don't much like the idea of retaining data on customer usage, I could justify 60 or 90 day retention of records for the purpose of shutting down malware/botnet machines.

"Yes, Barney, these six machines all answer up every single time the MyDoom2015 calls for a roll ca

I've never heard people suggest that before, but the idea of "using open source = discount on your internet bill" is a good idea.

Do it in a very simple way: if you're not running windows or OSX, you get a 5% discount your bill. Some might differ on whether to put OSX in the "Do not run" category.

The rest is too discriminatory and too extreme.

There are people out there who are able to configure Windows to be as secure as *Nix or Mac OS. Why penalize them? Penalize the retards who run Windows/*nix/Mac OS as administrator. Penalize the retards who are infected with the botnet zombie 'du jour'. Penalize the retards who mindlessly click on every 'OMGZ YOU WIN IPOD TOUCH CLICK HERE PLZ!111!!!!!!oneoneeleventy!~one!' banners.

"There are people out there who are able to configure Windows to be as secure as *Nix or Mac OS."

You make a pretty good point - except that you exaggerate a little. There are precious few people who can make their Windows machine as secure as *nix or Mac. And, most of those people work for an IT department somewhere that has hundreds of insiders fighting tooth and nail to poke tunnels so they can view their favorite flavor of porn.

I take it that this whole thing is aimed at private, domestic machines, rat

There are precious few people who can make their Windows machine as secure as *nix or Mac.

I think that's pretty inaccurate. Out of the box Windows is just as secure as Linux or a Mac is. It's something that Slashdotters don't like to discuss (easier to blame mothers and sisters I guess) but a lot of malware gets onto systems via warez and the like. For example, here is a point and click tutorial on uploading infected warez [pay-per-install.org], even including how to avoid bans from torrent sites. The appeal of this option is ob

out the box? sure, as long as it's not plugged in it's just as secure as mac or linux.

In reality, otherwise, the machines do not have the same security. This isn't an attack on Microsoft, it's just reality. They're poor performers as far as security is concerned and have been from day one.

"Unless you think using Mac or Windows makes somebody inherently more virtuous overnight,"

God, I hope not! I have little use for a virtuous woman!!

Alright, if you insist - I'll try to be serious. Windows is, and always will be, playing catch-up in the security department. The basic, underlying security model was flawed simply because Microsoft didn't believe security was as important as convenience.

In fact - that seems to be part of the argument every time one of the MS fanbois tauntingly reminds us that

It definitely will make an impact if all countries follow suit with a similar program.Contacting the owner is the first good step, as for limiting connection speeds, well, I don't get that, especially if I paid for full speed, whether I am using it for spam or not, it is paid for, but let me know that I am spamming millions of emails per day, and I will change my computer install yesterday.

I think everyone missed my point. The internet as a whole is being attacked by systems loosely guarded by their owners due to onerous and obtuse support requirements and maintenance routines. The fact that there is even an antivirus industry speaks volumes about where we are now.

Windows PC make up the bulk, if not all of all botnets (please cite for me any unix/linus/macos x desktop botnet that's been discovered that isn't just focused on weak LAMP setups)

Wait - you are supposed to LOG IN to a hotspot? Seriously? Maybe I've been doing it wrong. I usually just spoof a MAC address, and take over an existing connection. Sometimes, I just log into the router, and change the settings more to my liking. There are so MANY imaginative ways to use a hotspot - why log in? Spoofing a MAC address has the advantage of making my terrorist network activities appear to be dozens of different people. Why, just last week I sold a suitcase nuke to an Ethiopian who had f

I'd rather not have my ISP decide what is a "virus" or "inappropriate communications" thank you. If the users are consuming too much bandwidth then disconnect them on those grounds, but please don't set this precedent.

They usually watch for excessive traffic on specific ports. Since the most immediately profitable use of a botnetted machine is spam, the majority of botnetted PCs are either running open mail relays or are themselves functioning as outgoing mailservers. Many ISPs (including two in my area) watch for excessive traffic going OUT on TCP port 25. Unless you are running a mailserver, your computer has no legitimate reason to send out over that port in volume. Most ISP mailservers are SSL nowadays anyway and are off port 25 so you don't even need to use that if you are connecting to your ISP's mailserver from off-network. (and many ISPs outright block port 25 outgoing from anything in their network besides their mailserver) Many ISPs react the same if your computer is listening on port 25 (acting as an open relay)

So if you are pushing megs (or gigs) a day every day on port 25, there's better than 99% chance your machine is botnetted. It doesn't take speculation to figure that out, and the odds of false-positives are very close to zero.

That said, I have no sympathy for someone that knows their computer has a problem that's causing other people grief. That's the most basic understanding of the problem that is given when your ISP gives you a phonecall or email saying you have a problem and need to fix it or we will cut you off. If you're too stupid to acknowledge this and take responsibility for fixing it, or just plain don't care, I'd much rather see you off the internet and out of my Inbox. If you don't care that someone else has violated you by hijacking your computer that's fine with me, until they start using it to violate me, and that's when I start having a say in the matter.

If you want a fun example to separate the computer from the problem, here's something easier to understand: ABC Construction company does building demolitions. They leave their explosives on site and not locked up. They keep getting their explosives stolen. OK I don't care about that, it's their loss. But then stuff around town start getting blown up and the explosives are easily traced back to you. That's when it's time for the police to come have a talk with you about securing your explosives. You do not have the right to continue leaving dangerous things so easily accessible that the public is constantly being hurt by them. Even if you want to ignore your moral responsibility for it, the public won't stand for it and you lose your say in the matter. You WILL secure your things or you WILL go away.

Another excellent example is how several states legally require you to have a lock on your anhydrous ammonia tanks to prevent theft and use in drug manufacture. Also, most universities now are requiring students to install AV software on their computers before they're allowed to use the campus net. Your precedents have already been set.

That said, I have no sympathy for someone that knows their computer has a problem that's causing other people grief.

What about people who do not care enough to find out? That is most people. They do not know, because they do not care.

My solution would be to allow victims to sue anyone who is negligent or the consequences. I think making everyone whose machine is in a botnet jointly and severally liable for all damage would be excessive, but each of them should face a liability big enough to be worth suing over.

My ISP (Clearwire, fwiw) has on several occasions throttled me down to about 5 KB/s until I call and ask what's up. I get a level 1 tech who reads me the entire "have you run your antivirus software lately, do you leave your computer on all the time, etc." script before I can tell him that I run os x on a laptop that spends most of its time at work.

The call immediately goes up the chain, I have to explain myself again, I get put on hold for a minute or two, and then the problem is mysteriously solved. All w

I don't run any internet-facing servers- in fact, my firewall is locked down as far as it can be without causing problems for myself, and every nonessential service and port is closed. My wireless network uses WPA2 and MAC filtering. All that, and I was identified several times as a zombie.

Have you port-sniffed your computer with another machine? Port sniffed your wireless router? Your router might be a zombie, and I've seen Mac zombies that look benign from the OS side, but have ports open that the GUI says are closed.

Yes, I've run tests on my network that confirm what I already thought. I have a small Dell mini with a few network utilities installed that I've used to troubleshoot issues in the past (said dell spends almost zero time connected to the internet).

It was actually during the course of scanning my network that I came across all my neighbors.

I just scanned again for my personal edification, and everything is locked down. The only thing I can't control is my clearwire modem, but I've been trying unsuccessfully t

It doesn't really matter what you want if your ignorance is leading to these kinds of problems.

And bandwidth isn't a very good indicator since each individual bot doesn't have to actually send all that much info.

Personally I think there are certain patterns that could be gleaned from the traffic to help determine if there is a problem. Hundreds of failed connections or invalid packets per second, for instance.

Do I want to give the power of choice to the ISP? Not really, but who else is able to do it?

What would happen if those ISPs notice increased profit and customer satisfaction (overall) when they are paying less for resources used up by bots?
(Assuming they don't have problems with false-positives or find far too many customers being cut off, etc.)

Its not like everyone knows how to (and in some cases cannot afford to hire someone to) remove botnets from their machine. I hope the ISPs will provide this kind of support as part of standard service before they consider disconnecting users...

If they can't afford to keep their machine clean, they don't go on the Internet. Sucks to be them. They don't get to pass on the cost of their mistakes to everyone else, like they do if you just keep their connection alive.

Then don't disconnect zombies. Redirect any request from those IPs to a web page that explain the situation and why that computer shouldnt be in the net for their own good, and have as direct download most typical cleaning and other essential at that stage applications, and maybe listing local companies that do the cleaning if the person dont want to fresh format.

Being unwilling to learn, or unwilling to ask someone who does know, would still qualify as refusing to fix the problem.
Here's a car analogy for you:
The users who are likely to crash by failing breaks are the least likely to be able to repair their own brakes...

This is the deal - it is about responsibility, about being a part of a community. Behaving in a way that harms other users, whether it is the road, the internet or anything else for that matter, is frankly wrong. The internet wouldn't be here if it wasn't for other people participating in this network. We therefore have a right to expect, in return for our participation, acceptable behaviour. If you don't like it - go build your own internet.

I don't know about the situation in your country, but here in the UK any car over a certain age undergoes mandatory regular testing (the MOT), which is designed to check the road-worthiness of the car. These tests are paid for by the owner of the car, and not having a valid MOT certificate brings all sorts of problems (not least of which is that it invalidates your insurance).

Perhaps the same should be true of PCs? Since we're equating poorly maintained cars with poorly maintained PCs.

Oh god, no. This is a very very bad idea. We do not need to have our PC's "certified" by a Ministry, Department, or any 3rd party for that matter. Yes, they have done that for cars for pollution testing but it makes no sense for computers.

Do you seriously want some twithead bureaucrat telling you what a "safe" PC is and what a "dangerous" PC is?

I want you to choose a number from 1 to 60. This number represents the amount of seconds before Linux (or some other disliked-by-those-in-power application) goes onto the "dangerous" list. This number also represents how many days you have to install a properly maintained OS, such as those produced by Microsoft, onto your PC. Within 10 days, please bring us proof that you have made the correct repairs and we will waive your fine. Oh, but court costs are 200 euro. Thank you, drive through.

I am deadly serious when I say this: This is one of the all-time worst ideas I have ever read on Slashdot.

I agree that the car analogy is has some merit. But is incomplete. It is more like someone is driving around with a car with a manufacturing flaw that is not obvious. You don't see that the brake is not working. When you brake everthing works fine, when you accelerate everthing if fine, maybe a little slow but fine. What you don't know is that someone is using part of your trunk to transport drugs, because the lock was made such that they could open it up and put it in, open it up and take it out without yo

Who cares? He owns it, its his responsibility to fix it. Pay someone if he cant figure it out and stop clicking on NAKED_PHOTOS.EXE or doesnt understand why he should be doing those Microsoft updates. Should we also coddle drivers with unsafe cars because they arent mechanics?

Its only when there's a financial incentive to keep a machine patched and thinking before clicking that people will begin doing so. Or switching to OSX or Linux. The status quo of not taking responsibility for your own computer isnt sustainable and isnt helping anyone.

OK, I just had to jump in here. I'm tired of the people who say "Switch to linux and the spam/virus/worm problem will be solved!". It wouldn't solve sh*t! The spammers and virus/worm makers would just develop for the new platform, and the only reason that Linux is so secure is that the malware devs aren't developping payloads that attack it.

everyone talks about their rights, but few speak up about their responsibilities

if people don't live up to their responsibilities, they lose their rights. not as a matter of some government mandate, but as a simple logical, natural consequence of ruining things- the internet, safe roads, a healthy economy, etc., for other people

if people don't live up to their responsibilities, they lose their rights. not as a matter of some government mandate, but as a simple logical, natural consequence of ruining things- the internet, safe roads, a healthy economy, etc., for other people

That shits on centuries of philosophical thought.

I think you confuse the word 'right' with the word 'privilege'. Driving a car? That's a privilege, revocable when used irresponsibly.

The internet is developing into a primary means of communication, especially

This is correct. I know plenty of people who are clueless about security, and computers generally (I'm thinking of the ones who ask me "Do I have Adobe on my computer?"), but I'm not prepared to tell them they have to stop using them until they become experts. The real solution here is to offer proactive solutions. The ISPs could provide them for free (including house calls) and probably still come out ahead financially.

I am not able to fix my car and yet the governement wants me to have things safe for others. I doubt that I can use that as an excuse driving around in a car that is not up to the standard that they demand.I believe there is a difference between fixing it and fixing it yourself.

Well, at least the intended mechanism will make sure that people notice that their PC is abused. Furthermore, it imposes pressure on people to care about some basic security measures. I think, many of them will soon take care - in whatever way. But if they refuse to realize that their data is in trouble and that they are (passively) involved in online crimes, why not shut down their net access? Someone who does not exactly know what to do will know the shop where (s)he bought the equipment or even a local shop that offers paid support - there is no excuse in that case.

I've made some similar experience on my own some years ago while living on campus connected to a network of about 1,000 machines. The admins enforced a "three strikes" directive: if someone's machine was spreading viruses via internet access or via FTP/SMB shares or misbehaved in other ways (disturbing the DHCP and break-in attempts on internal servers, mainly), (s)he got a notice in her/his (real life!) post box to stop misbehaving/to fix the computer. As I recall, the note contained a paragraph offering help in case people weren't able to cope with the problem themselves. They only had to block less that 10 Machines during the time I lived there (4 years, approx.), as people really reacted quickly and we could even observe a (small) learning curve because new inhabitants mostly were briefed by their neighbours shortly after they had moved in.

So: Go ahead, Aussie ISPs! That's definitely the way to go - and to further sysadmin appreciation, but that's a different piece of.....

This SOUNDS like a good idea in theory, but what will end up happening is that Hackers will start to send fake notices to Australian users and will easily be able to trick people into giving personal information (ie account numbers, CC numbers, ect.) by claiming to be from the government and/or ISP. They need to create some sort of control around this, but I only see it causing problems....

I don't know why the emails would ask for personal information. I can however see this as a great opportunity for virus emails: The government has noticed your computer is infected and sending out spams. Now run this attached executable to remove it.

Partially, but it isn't the operating system's job to stop the user from being an idiot. If you want to run executables from suspicious websites, that's your right. And if the rest of the world wants a device to stab you in the face over the internet, that's their right, too.

I can't think of an OS that can tell the difference between skype spraying bit all over the internet versus a spam mailer spraying bits all over the internet. In both cases, the user probably clicked something (skype.exe or boobs.jpg.exe), and clicked "OK" when the OS asked if they were sure. At that point the reins are in the hands of the user.

You can put a HUD, anti-lock brakes, cornering headlights, parking sonar, all-weather tires, and wrap-around cabin airbags in a car, but a stupid user will crash it

The code states ISPs should cut off internet access only in the "most extreme of cases", when a customer had refused to install anti-virus software, or where the amount of spam being sent from the customer's account was clogging up the network.

Does that mean they will cut off users who simply don't have an AV program, even if they're not infected?

If there are no signs of botnet activity from a computer, how would they know it doesn't have AV software? Something tells me ISPs aren't going to devote resources to asking their customers just in case...

Perhaps change the terms of service as to require AV software installed before a computer is let onto the Net. Perhaps requiring software to be installed on a given computer to check whether it has an applicable AV program.

So, if the software finds that there is an acceptible AV program, then the ISP is contacted and unrestricted access is permitted. If the software finds the AV program doesn't qualify, or doesn't exist, then the person only has access to a page that says, "You don't have a qualified AV pro

No, not going to happen. For a start, such a program would have to be available for every common iteration of every operating system and be able to recognise the installation footprint of a variety of AV software, and be constantly updated to recognise new versions and work around any changed settings. No Australian ISP is going to put in that kind of development work when they can just monitor their logs for suspicious activity (and already do). Besides, attempting to mandate a particular hardware/software

I've been calling for this for years, on Slashdot and other venues. ISPs do monitor suspicious behaviour. I can remember many many years ago when I was much younger and playing around with netbus and scanning the default port 1234 with it for about 20 minutes. The next day we got a call from the ISP asking if everything was okay.

There is no reason that a reasonable profile can't be built to detect standard bot activity and customers notified if this kind of behaviour has been noted coming from their connect

The problem I have with this is that my own ISP has blocked me using the excuse that I might have an infected computer. I tell them that I'm running os x and the problem is immediately fixed.

What concerns me is that what my ISP was doing was not 'bot profiling' (I have almost every port blocked and I'm not running any services that use weird ports, like some p2p software does)- they were simply disconnecting/throttling down their heavy users. I don't use the internet at home more than a few hours a day, and

I usually hate messing with a protocol, but this sounds like a good use of a DNS redirect. When a user is deemed infected by whatever measure they decide, have the first web-page that the user brings up a re-direct to an ISP warning page with info on how to cure the problem.

I suppose if the user refuses to do anything about it you could cut him off after a month or so.

Whenever this has happened to me (when the person in charge of the bill forgot to pay it on time), the redirect page includes a phone number which is the only way to continue making progress with the issue.

If you're the sort who clicks on the fake warnings, eventually (with this method) the ISP will give you the real redirect page that fails to include any links.

ISPs should be disconnecting zombied machines. The catch is they need a test which catches most zombie machines while not catching any non-zombies, and most ISPs are neither competent enough nor interested enough to do so. If their procedure has systemic problems which disconnects non-zombies, then the cure is worse than the disease.

I didn't completely RTFA, but..
If this works anything like the same way it does in here, it basically redirects you to a generic page where you can download virus / etc checks and fix your system. You can't simply reach other places (or no connection with other protocols) in that state.
The ISP has basically just IP blocked you at that point (other systems under the same connection function like normal). The ISP also re-checks your system every hour or two to see if the issue has been resolved. This is also explained in the page with more detail.
If it follows the same formula then I am all for it due to it working flawlessly so far. No false alarms so far in my rather heavy use.
Oh yes, and I first ran into this on 2004.

Don't disconnect them. First, only block the ports being abused. If that doesn't work, confine them to a "walled garden" that tells them who to call and fix the problem. Then when the do call, help them fix the problem.

Why harm 100,000 users when you can just disable 1 CnC system? Researchers have already shown, over and over, that is is possible to not only take over botnets but to shut them down. If all the ISPs are going to get together and work as a team then why not work on THAT?

There is a responsibility by any user not to interfere with others. Being infected with a botnet is certainly one for this category. Not responding to warnings of infection is negating this and is abusive of others using the net. Why should users that interfere with others be tolerated?

To simply say that a significant number of the people that have botnets don't know how to remove them, even after warnings is far to simplistic an excuse. The same can be said about their ability to pay to have them removed.

At college, the school did exactly this. They shut down every computer that was infected. If you get into a car accident on the highway, you might get your license suspended. So why shouldn't you be responsible for your actions online?

But at college, they also did all the things you mentioned. Also, the local police monitored the connections, because a week into the semester, the police came into my class to arrest a freshman for downloading things of an illegal nature.

The major problem is to identify legitimate traffic vs. Botnet Traffic. We know there are filters that also catch the un-intended such as censorship black lists, no-fly lists, banned book lists. And if you look at the spam or the arms races or business, when a restriction is found, the criminal finds a way around it. In the meantime the fellow who's computer was taken over is taxed with the penalty of no connection and the time to fix it. This is a little like making a victim of a crime have to come in day

Mark me as flamebait if you like, but this was started by the Internet Association, so chances are they probably have a pretty good idea on what they are doing. They would have buy in from their staff to be able to get this one through, their staff are probably sick of having to deal with all the SPAM complaints and everything else from these hosts. They probably have an even better idea on what they are doing to their network than what you do.

Not entirely true. Most phone companies have anti-fraud systems and will detect and possibly disconnect you if you suddenly make 1000 times as many calls as usual. Compare with making a thousand new connections a minute to TCP port 25.

Cue crazy guy who thinks ever business proposal is a conspiracy by the government to "finally" get him. Err, if they wanted you, you'd be in a jail cell. No need for some business regulations about zombies to make it look legit(?)). Also, I think your tin foil hat is looking a bit crooked. Some alpha waves might be getting in!